session-titles
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill accesses local configuration files containing authentication secrets.
- Multiple scripts including
eval-quality.ts,evolve-prompt.ts,run-eval.ts, andgenerate.tsread and parse the~/.claude/.envfile to retrieve theANTHROPIC_API_KEYfor network authentication. - [DATA_EXFILTRATION]: Private project data and session transcripts are sent to a third-party LLM provider.
- The
extract-candidates.tsscript reads raw session transcripts from~/.claude/projects/, which contain real code and project data. - This sensitive content is interpolated into prompts and transmitted to the Anthropic API for title generation and evaluation.
- [COMMAND_EXECUTION]: Shell commands are executed using unvalidated input from an external source.
- In
scripts/generate-core.ts, thegetProjectNamefunction executesgit configusing acwdvariable in a shell template. - The
cwdvalue is passed viaBun.stdininscripts/generate.ts, creating a command injection vector if the input source is controlled by an attacker. - [PROMPT_INJECTION]: The skill processes untrusted session data within LLM prompts, making it susceptible to indirect prompt injection.
- Ingestion points: Session transcripts are read from
~/.claude/projects/and parsed inscripts/generate-core.ts. - Boundary markers: User messages are included in prompts via basic string interpolation with quotes (e.g.,
User's request: "${request}"), which fails to provide a secure boundary against instruction overrides. - Capability inventory: The skill possesses the capability to read and write local files and perform network operations via the Anthropic SDK.
- Sanitization: The
extractUserTextfunction provides minimal filtering for system tags but does not protect against adversarial instructions embedded in the processed transcript text.
Recommendations
- AI detected serious security threats
Audit Metadata